Azure Device or Configuration Modified or Deleted

Identifies when a device or device configuration in azure is modified or deleted.

Sigma rule (View on GitHub)

 1title: Azure Device or Configuration Modified or Deleted
 2id: 46530378-f9db-4af9-a9e5-889c177d3881
 3status: test
 4description: Identifies when a device or device configuration in azure is modified or deleted.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities#core-directory
 7author: Austin Songer @austinsonger
 8date: 2021/09/03
 9modified: 2022/10/09
10tags:
11    - attack.impact
12    - attack.t1485
13    - attack.t1565.001
14logsource:
15    product: azure
16    service: activitylogs
17detection:
18    selection:
19        properties.message:
20            - Delete device
21            - Delete device configuration
22            - Update device
23            - Update device configuration
24    condition: selection
25falsepositives:
26    - Device or device configuration being modified or deleted may be performed by a system administrator.
27    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
28    - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
29level: medium

References

Related rules

to-top